You are on page 1of 7

Bluetooth* Architecture Overview

James Kardach, Mobile Computing Group, Intel Corporation

Index words: Bluetooth, Piconet, IEEE, 802.15, PAN, Wireless, CMOS Radio, Data Access Points, Cable
Replacement, WLAN, Global, Frequency Hopping, SIG

the IEEE organization has recognized the need for


ABSTRACT wireless cable replacement technology and started the
The Bluetooth* wireless technology was created to solve a development of the 802.15 working group that focuses on
simple problem: replace the cables used on mobile devices this market (they call it Wireless Personal Area
with radio frequency waves. The technology encompasses Networks). This specification is based on the Bluetooth
a simple low-cost, low-power, global radio system for technology!
integration into mobile devices. Such devices can form a
quick ad-hoc secure "piconet" and communicate among INTRODUCTION
the connected devices. This technology creates many
The Bluetooth technology was developed to provide a
useful mobile usage models because the connections can
wireless interconnect between small mobile devices and
occur while mobile devices are being carried in pockets
their peripherals. Target markets were the mobile
and briefcases (therefore, there are no line-of-sight
computer, the mobile phone, small personal digital
restrictions). This paper provides a brief description of
assistants and peripherals. These markets were
some of these usage models and explains how the
represented by the companies who created the technology:
Bluetooth architecture is optimized to enable them. But
Intel, 3COM, Ericsson, IBM, Motorola, Nokia, and
first, let us answer the question why now.
Toshiba, and were further supported by the 1,600 other
Original Bluetooth market requirements dictated early adopter companies.
integration into small handheld devices (mobile phones
The goals of the technology did not include developing
and computers were key clients), low cost (longterm cost
another Wireless Local Area Network (WLAN)
of under $5 per connection point), high security, low
technology, for which there were already many in the
power, and ubiquitous global use of the technology.
market and many more being developed. Rather, whereas
There was no single cellular technology that could meet
WLANs are designed to efficiently connect large groups
the global use requirement (there are five wireless phone
of people over a common backbone, the Bluetooth
technologies in the US alone). While WLANs had good
technology was designed to connect mobile devices over a
ad-hoc networking capabilities, there was no clear market
personal and private connection (in essence, to replace the
standard to pick (there are at least three varieties of IEEE
cables carried by many mobile travelers).
802.11 standards and a variety of other proprietary
solutions in the market). Moreover, cost was too high for The Bluetooth technology tries to emulate the cost,
integration; there were no global standards, and security, and capabilities of common cables carried by
integration into small handheld devices (like mobile mobile travelers. The technology must be as secure as a
phones) was a problem. As such it was decided to take a cable (supports application/link layer authorization,
different approach: replace the cable from the “Network authentication, and encryption); must be manufactured for
Adapter” (WLAN card or cellular phone) with a low-cost about the same cost as a cable (designed for eventual
RF link that we now call Bluetooth. manufacture as single chip CMOS radio giving a long-
term cost goal of $5 an endpoint radio); must connect to a
Today the Bluetooth technology is the only specification
variety of devices available to the mobile user (seven
targeted at this new market of cable replacement. Even
simultaneous connections) and support data rates that are

*
Bluetooth is a trademark owned by its proprietor
and used by Intel under license.

!"#$%&&%'()*+,'-%$,%#+$)./$+/-$0 1
Intel Technology Journal Q2, 2000

consistent with a mobile traveler’s needs (1 Mega symbol course, support much higher data rates than today’s
per second data rates per piconet); must support many modems, as public spaces could connect a variety of
simultaneous and private connections (hundreds of private private Bluetooth access points via a LAN that is routed to
piconets within range of each other); must support the the Internet over a DSL line, allowing each access point a
types of data used by mobile users (voice and data); and private 1Mbps connection to the Internet.
must be very low power and compact to support the small
portable devices into which the technology will be
integrated. Finally, the technology must be global as the
mobile devices will travel and must work with devices
found in other parts of the world.

USAGE MODEL
While the Bluetooth∗ usage model is based on connecting
devices together, it is focused on three broad categories:
voice/data access points, peripheral interconnects, and
Personal Area Networking (PAN).

Figure 2: Peripheral interconnects

Peripheral Interconnects
The second category of uses, peripheral interconnects,
involves connecting other devices together as shown in
Figure 2. Imagine standard keyboards, mice, and
joysticks that work over a wireless link. The Bluetooth
link is built into the mobile computer; therefore, the cost
of the peripheral device is less because an access point is
not needed. Additionally, many of these devices can be
used in multiple markets. For example, a Bluetooth
headset used in the office could be connected to a
Bluetooth access point that provides access to the office
Figure 1: Voice/data access points phone and multi-media functions of the mobile computer.
When mobile, the same headset could be used to interface
Voice/Data Access Points
with the cellular phone (which can now remain in a
Voice/data access points is one of the key initial usage briefcase or purse).
models and involves connecting a computing device to a
communicating device via a secure wireless link (see Another aspect of a short-range link like Bluetooth is in
Figure 1). For example, a mobile computer equipped the area of proximity security devices. In this case, if one
with Bluetooth technology could link to a mobile phone device is not within range of another device, the first
that uses Bluetooth technology to connect to the Internet device will go into a high security mode.
to access e-mail. The mobile phone acts as a personal
access point. Even more ideal, the notebook can connect
to the Internet while the cell phone is being carried in a
briefcase or purse. The Bluetooth usage model also
envisions public data access points in the future. Imagine
the current data-equipped pay phones in airports being
upgraded with Bluetooth modems. This would allow any
mobile device equipped with Bluetooth technology to
easily connect to the Internet while located within ten
meters of that access point. These access points could, of


Figure 3: Personal Area Networking (PAN)
Bluetooth is a trademark owned by its proprietor and
used by Intel under license.

!"#$%&&%'()*+,'-%$,%#+$)./$+/-$0 2
Intel Technology Journal Q2, 2000

Personal Area Networking Applications


The last usage model, Personal Area Networking (PAN),
TCP/IP HID RFCOMM
focuses on the ad-hoc formation and breakdown of
personal networks (see Figure 3). Imagine meeting

ol
someone in an airport and quickly and securely

n tr
Data

Co
exchanging documents by establishing a private piconet.
In the future, Bluetooth kiosks could provide access to L2CAP
electronic media that could be quickly downloaded for Audio
later access on the mobile device. Link Manager LMP
Baseband
THE DEVELOPMENT OF THE RF
BLUETOOTH∗ TECHNOLOGY
Figure 4: Bluetooth architecture
The Bluetooth technology was developed by members of
a Special Interest Group (SIG). The participating The Radio Frequency Layer
companies agree not to charge royalties on any
Intellectual Property (IP) necessary to implement the The Bluetooth air interface is based on a nominal antenna
technology. The SIG started initially with the promoters, power of 0dBm (1mW) with extensions for operating at
who were the primary developers of the technology, and up to 20dBm (100mW) worldwide. The air interface
then expanded to include early adopters and adoptees. complies with most country’s ISM band rules up to
20dBm (America, Europe, and Japan). The radio uses
Environment Frequency Hopping to spread the energy across the ISM
spectrum in 79 hops displaced by 1 MHz, starting at 2.402
The Bluetooth technology was developed to be used
GHz and stopping at 2.480 GHz. Currently, the SIG is
within a unique global environment that would not only
working to harmonize this 79-channel radio to work
enable integration into the host devices but would also
globally and has instigated changes within Japan, Spain,
allow the mobile device to travel easily from one country
and other countries.
to another. In addition, due to the personal/confidential
data contained on the different types of client devices The nominal link range is 10 centimeters to 10 meters, but
(e.g., the mobile computer), the link formed between these can be extended to more than 100 meters by increasing the
devices needed to be as secure as the cable it was transmit power (using the 20dBm option).
replacing.
The Bluetooth Baseband
BLUETOOTH ARCHITECTURE As mentioned previously, the basic radio is a hybrid
The Bluetooth technology is divided into two spread spectrum radio. Typically, the radio operates in a
specifications: the core and the profile specifications. The frequency-hopping manner in which the 2.4 GHz ISM
core specification discusses how the technology works, band is broken into 79 one-MHz channels that the radio
while the profile specification focuses on how to build randomly hops through while transmitting and receiving
interoperating devices using the core technologies. This data.
paper deals with the core technology, as illustrated in
Frame
Figure 4, and focuses on the lower layers of the Bluetooth
architecture (up to the link manager). fk fk+1

One
Master Slot
Packet

One
Slave Slot
Packet

625 us
∗ One Slot
Bluetooth is a trademark owned by its proprietor and
used by Intel under license. Figure 5: Single slot frame

!"#$%&&%'()*+,'-%$,%#+$)./$+/-$0 3
Intel Technology Journal Q2, 2000

A piconet is formed when one Bluetooth radio connects to are formed by a master radio simultaneously connecting
another Bluetooth radio. Both radios then hop together up to seven slave radios. The Bluetooth radios are
through the 79 channels. The Bluetooth radio system symmetric in that any Bluetooth radio can become a
supports a large number of piconets by providing each master or slave radio, and the piconet configuration is
piconet with its own set of random hopping patterns. determined at the time of formation. Typically, the
Occasionally, piconets will end up on the same channel. connecting radio will become the master; however, a
When this occurs, the radios will hop to a free channel and “master/slave swap” function allows the roles to be
the data are retransmitted (if lost). reversed. (A device can only be a master in one piconet
though.)
The Bluetooth frame consists of a transmit packet
followed by a receive packet. Each packet can be
composed of multiple slots (1, 3, or 5) of 625 us. A
typical single slot frame is illustrated in Figure 5, which
typically hops at 1,600 hops/second.

Figure 8: Bluetooth radios in the wild


To form a piconet, the Bluetooth radio needs to
Figure 6: Multi-slot frame understand two parameters: the hopping pattern of the
radio it wishes to connect to and the phase within that
Multi-slot frames allow higher data rates because of the pattern. Bluetooth radios each have a unique “Global ID”
elimination of the turn-around time between packets and that is used to create a hopping pattern. In forming a
the reduction in header overhead. For example, single slot piconet, the master radio shares its Global ID with the
packets can achieve a maximum data rate of 172 other radios, which then become slaves and provide all the
Kbits/second, while a 5 slot, 1 slot multi-slot frame will radios with the correct hopping pattern. The master also
support a 721 Kbits/second rate (in the 5-slot direction) shares its clock offset (represented by the clock dial) with
with a 57.6 Kbits/second rate back channel (in the 1-slot the slaves in the piconet, providing the offset into the
direction). A multi-slot frame is illustrated in Figure 6. hopping pattern. This information can easily be
exchanged via the FHS packet.
Network Topology
Normally, radios not connected to the piconet exist in
“Standby” mode. In this mode, the radios are listening for
other radios to find them (“Inquire”) and/or are listening
for a request to form a piconet (“Page”). When a radio
issues an Inquire command, listening radios will respond
with their FHS packet (Global ID and clock offset),
providing the inquiring radio with a list of Bluetooth
radios in the area.
To form a piconet, a Bluetooth radio will page another
radio with its Global ID (obtained by a previous inquiry).
The paged radio will respond with its Global ID, and the
master radio passes the paged radio an FHS packet. The
Figure 7: Network topology paged radio then loads the paging radio’s Global ID and
clock offset, thus joining the master’s piconet. Figure 9
Figure 7 illustrates a typical piconet with each small illustrates Radio A becoming the master to Radios B and
bubble (M, S, P, or Sb) representing a Bluetooth radio. C.
Bluetooth radios connect to each other in piconets, which

!"#$%&&%'()*+,'-%$,%#+$)./$+/-$0 4
Intel Technology Journal Q2, 2000

Once a radio joins a piconet, it is assigned a 3-bit Active channel as the inquiring radio and will respond with an
Member Address (AMA) allowing other radios on the FHS packet (containing its Global ID and clock offset).
piconet to address it. Once the piconet has eight radios The sequence is then repeated for the second set of 16
active, the master must then take a radio and “Park” it on frequencies after which the inquiring radio will have a list
the piconet. This radio stays coordinated with the piconet of FHS packets for all radios within range.
but releases its AMA for an 8-bit Passive Member
Paging follows a similar sequence. Each radio has a
Address (PMA). The freed AMA can now be assigned to
unique sequence of 32 paging frequencies and 32 response
another radio wishing to join the piconet. The
frequencies based on its Global ID. A radio in Standby
combination of AMA and PMA allows over 256 radios to
mode doing a Page Scan will listen for a page of its
actively reside on a piconet, while only the eight radios
Global ID on each of these paging frequencies for 10 ms,
with the AMAs can actively transfer data. This is also
every 1.25 seconds going to the next paging frequency in
illustrated in Figure 9’s Radio D, which has loaded the
the sequence. The paging radio will continuously page
master’s Global ID and clock offset and is parked on the
using the paged radios’ Global ID on one of two sets of 16
piconet (prepared to join the piconet when data are ready
frequencies within the paging radios’ 32 paging
to be transferred).
frequencies. The paging radio makes an estimate (based
on its last known clock offset) of where the paged radios
should be listening and then creates an “A Train” of page
frequencies around this estimated frequency. The paging
radio will then continuously page across these 16
frequencies for 1.25 seconds. If the estimate was wrong
(the paging radio received no response), the paging radio
will next try the remaining 16 frequencies for the next
1.25 seconds. Radios that have little clock offset will be
able to connect very quickly, while radios that have large
clock offsets (meaning the radios haven’t connected
recently) could take up to a maximum of 2.5 seconds to
connect (a complete A/B train search).
Once a radio has been found (via Inquiry) and then placed
into a piconet (via Page), a piconet is formed and some
Figure 9: Bluetooth radios in a piconet
useful work can now take place. Figure 10, entitled
Parked radios listen at a beacon interval for information Functional Overview, depicts the different high-level
addressed to them. This allows a master to perform a states of a Bluetooth radio.
broadcast to all slaves (parked and active).
Radios that are not actively connected to the piconet are in Unconnected Standby
Standby
the Standby state (e.g., Radio E in Figure 9). These
radios listen for Inquires or Pages from other radios. Di
Every 1.25 seconds they will perform a Page Scan and/or sc
on
an Inquiry Scan to see if such a request is being made. ne Ttypical=2s
ct
The inquiry process involves one radio executing a page Connecting Inquiry Page

function on the Inquiry ID (a special global address set States

aside for the Inquire function), while other radios are


Ttypical=0.6s
performing an Inquiry Scan. This process is performed on
a unique sequence of 32 channels. The radio doing an Active
Transmit
data
Connected
Inquire Scan will listen every 1.25 seconds on one of these States AMA
AMA

32 channels for 10 ms, then will repeat this scan on the


next channel (within this 32-channel sequence). A radio Ttypical=2 m s
with Inquire Scan enabled will continue this process until
the Inquire Scan function is disabled. The inquiring radio
will issue a number of pages on the Inquire channels Low-Power
Releases
AMA
PARK
PMA
SNIFF
HOLD
AMA
(twice per single slot) and then listen at the corresponding States Address

response frequency (twice per slot) for 1.25 seconds for


16 of the 32 frequencies. The listening radio’s correlator Figure 10: Functional overview
will fire if it is doing a Page Inquire on the same inquire

!"#$%&&%'()*+,'-%$,%#+$)./$+/-$0 5
Intel Technology Journal Q2, 2000

In the connected state, the Bluetooth radio is assigned a 3- SECURITY


bit Active Member Address (AMA) for which it can then
The way that the Bluetooth∗ radio system is used in
direct data to different devices on the piconet (master is
mobile devices and the type of data carried on these
always referenced as address 0). Broadcasts to other
devices (e.g., a corporate mobile computer) makes
radios on this piconet can be accomplished by the master
security an extremely important factor. While most
sending a packet to address 0. To enable radios to
wireless systems will claim that being a spread spectrum
maintain a connected state with the piconet (maintain the
radio provides security, the volumes projected for
piconets hopping pattern and offset) while maintaining a
Bluetooth radios eliminate this barrier. As such, link layer
very low-power state, radios can be placed in the Park,
and application layer security are part of the basic
Hold, and SNIFF states. For the Hold and Sniff states, the
Bluetooth radio requirements.
radios are told to wake up at given intervals (go away for
x slots); however, in the Sniff state the radio can transfer PIN PIN User Input
(Initialization)
data on that interval (for example, a keyboard might be
told to send/receive data every 20 slots), while in the Hold E2 E2
state no data are transferred. In the Park state, the radio is
told to go away and is given the PMA address. A Parked Authentication (possibly)
Link Key
radio will listen on a Beacon interval to see if the master Link Key Permanent
Storage
has a) asked the parked device to become an active
member, b) asked if any parked device wishes to become E3 E3
an active member, or c) sent any broadcast data.
When in the connected state, the Bluetooth radios can Encryption Temporary
Encryption Key Encryption Key
issue two types of packets: a Synchronous Connection Storage

Oriented (SCO) type or an Asynchronous Connectionless


Figure 11: Link layer security architecture
Type (ACL). The SCO type is associated with
isochronous data, and, to date, this is voice. This is At a link layer, the Bluetooth radio system provides
typically a symmetrical packet of 1, 2, or 3 slots, and the Authentication, Encryption, and Key Management of the
frames are reserved whether they are used or not within various keys involved. Authentication involves the user
the piconet. In order to have an SCO connection, the providing a Personal Identification Number (PIN) that is
radio must have already established an ACL connection. translated into a 128-bit link key that can be authenticated
Once an SCO link has been added, a master or slave unit in a one or two-way direction. Once the radios are
may send SCO packets without being polled. Currently, authenticated, the link can be encrypted at various key
the voice data links use a CVSD coding that provides very lengths (up to 128-bits in 8-bit key increments). The link
good noise immunity and a high-quality voice link. The layer security architecture provides a number of
CVSD coding enables damaged SCO packets to be thrown authentication schemes and a flexible encryption scheme
away (versus retransmitted) while maintaining a high- that allows radios to negotiate for key length. This is
quality voice link. One baseband packet type allows both important, as radios from different countries will be
voice and data to be sent in the same packet (DV packet). talking to each other. Security policies in these countries
will dictate maximum encryption key lengths. Bluetooth
The ACL link is packet-oriented and supports both
radios will negotiate to the smallest common key length
symmetric and asymmetric traffic. As mentioned
for the link (for example, if a USA radio is enabled for a
previously, ACL packets are created with an odd number
128-bit encryption key and a Spanish radio is enabled for
of slots such that the frame is always an even number of
only a 48-bit encryption key, the radios will negotiate a
slots (1/1, 1/3, or 1/5, for example).
link with 48-bit encryption key). The Bluetooth
There are three error correction schemes used in the architecture also supports authorization of different
Bluetooth Baseband: 1/3 rate FEC, 2/3 rate FEC, and services to upper software stacks. For example, when two
Automatic repeat request (ARQ). 1/3 FEC is always computers have created a Bluetooth link to exchange
applied to the packet header information. To increase the business cards, authorization must be created to extend
data rate when the link gets noisy, the radio can start these services (such that one computer could not examine
adding FEC to the channel: for SCO links, a 1/3 FEC is other services on that computer unless enabled to do so).
applied while for ACL links, a 2/3 FEC is applied. As
mentioned previously, SCO packets are thrown away
when damaged. However, for ACL packets, one packet is

directly acknowledged by the recipient in the next packet. Bluetooth is a trademark owned by its proprietor and
used by Intel under license.

!"#$%&&%'()*+,'-%$,%#+$)./$+/-$0 6
Intel Technology Journal Q2, 2000

The Bluetooth security architecture relies on PIN codes


for establishing trusted relationships between devices.
While not practical to go through all the combinations of
uses of PIN codes, it should be noted that once a trusted
pairing is established between devices, these codes can be
stored within the device to allow more automatic/simple
connections. The key to Bluetooth simplicity will be
establishing the trusted relationship between commonly
used devices. For random ad-hoc connections that require
authenticated connections (such as ensuring you are
connecting to who think you are connecting to, something
that is not always obvious with invisible radio waves),
PINs would have to be exchanged (depending on how the
devices are configured).

CONCLUSION
Bluetooth∗ is a radio system designed for connecting a
variety of mobile devices in a secure ad-hoc fashion.
Much thought has gone into developing a radio system
that provides interoperability between different device
types while also meeting the requirements of mobile users.
This paper covered a small aspect of the Bluetooth radio
system, the lower layers of the Bluetooth radio stack.

ACKNOWLEDGMENTS
Thank you to the teams and companies that worked to
develop this radio system in record time. These
companies include, but are not limited to, Intel
Corporation, Ericsson, IBM, Motorola, Nokia, and
Toshiba. Thanks to Laura Mariani for editing this article
and Robert Hunter for reviewing it.

REFERENCES
[1] Bluetooth Specifications, Bluetooth SIG at
http://www.bluetooth.com/.

AUTHOR’S BIOGRAPHY
Jim Kardach is a Principal Engineer with the Mobile
Communications Group (MCG) at Intel Corporation. He
earned a B.S. degree in EE from Fresno State University
and has been employed by Intel for 14 years. Jim is
currently the chairman of the Bluetooth Special Interest
Group, which is now developing extensions to the first-
generation Bluetooth radio system. Jim holds over 35
patents in the areas of computer systems, power
management, and communications and has most recently
lead the developments of the ACPI and Bluetooth
technologies. His e-mail is jim.kardach@intel.com.


Bluetooth is a trademark owned by its proprietor and
used by Intel under license.

!"#$%&&%'()*+,'-%$,%#+$)./$+/-$0 7

You might also like